Stemming the Flood
Software: New devices could protect Web sites from a common threat.
Since January of 2000, computer saboteurs have knocked out some of the biggest sites on the Web-like eBay, Amazon.com, and Microsoft’s Hotmail and Expedia-by flooding them with bogus Internet traffic. Unlike most computer sabotage, swamping a server requires no breach of security and little computer expertise. The inundating traffic is otherwise innocuous; there’s just too much of it, coming too fast. And programs for launching these “denial-of-service” attacks-so called because the bogus traffic denies legitimate users access to the server-can easily be found online.
But new hardware from several U.S. startups could help sites identify attacks before their servers go under. The leading approach is to monitor a Web site’s traffic, determine its typical ranges of activity and then flag suspicious fluctuations. “One thing about these attacks,” says Rob Malan, chief technology officer and cofounder of one of the startups, Waltham, MA-based Arbor Networks, “is that they are not subtle.” Indeed, they even look much different from the sudden surges of traffic that might accompany, say, an ad for your Web site that runs during the Super Bowl; in a denial-of-service attack, a few computers might download the same data thousands of times, for example. Once identified, bad traffic can be filtered out of the data stream.
When a packet of data travels over the Internet, it passes through a series of routers. Each router looks at the packet, reads its addressing and identification information, and speeds it on its way. Most high-end routers keep statistics on the traffic they see, so both Arbor and Seattle-based Asta Networks sell boxes that plug into routers, analyze their traffic statistics and alert network operators to any anomalies. The Arbor box, which reached the market in May, sends suggested criteria for filtering bad data along with the alert; Asta’s device, released in June, instead sends an exhaustive profile of the suspect traffic.
Mazu Networks of Cambridge, MA, offers a variation on the theme: a device that taps directly into the data stream to observe the traffic whizzing by. The Mazu box isn’t tied to any particular router technology and can, if necessary, investigate a packet’s cargo, which routers don’t examine. But unlike Arbor and Asta, it can’t yet handle the top speeds of the fastest Internet connections available; and it requires a second device to filter bad packets. The Mazu system completed beta testing in April and was formally launched in June.
Captus Networks of Woodland, CA, takes a different approach. The Captus device allows network operators to set a rate limit on incoming traffic. When the limit is exceeded, the device sends standard Internet Protocol requests to all the computers connected to it, asking that they slow their transmissions. Computers generating legitimate traffic respond accordingly; malicious computers don’t, and their traffic is then filtered out.
Some industry insiders worry that such close attention to each incoming packet could slow a network down. “I don’t want another box inline to pass my packets through,” says analyst Michael Rasmussen of Giga Information Group. But Zeus Kerravala of the Yankee Group believes the Captus device is fast enough to keep up with server traffic for “at least a year and a half to two years,” and that “the technology will improve in that time.” NASA’s Ames Research Center and Exodus Communications of Santa Clara, CA, are currently evaluating the device.
With four new options to choose from, the Web’s most popular sites should-for the time being-be able to shield themselves from vindictive 13-year-olds.